OpenBSD fails completely for the Tor threat model which downloading and updating software over untrusted exit relays. OpenBSD does not offer any signed files, they do not even offer hash sums for all required files (at least the ports tar ball doesn't have one). When asking about that the answer is "buy the CDs" (=something like $80 per year if you want to stay current). As if CDs via post through a 3rd party reseller offer a better trust chain than mirrors with hash sums, let alone proper WOT signatures. There are alternatives to GnuPG if it's just about the license... Further, tracking stable - which is recommended for production systems - is needlessly complex: it requires the user to recompile everything even though there are usually only a few packages that require an update. The most fitting approach would be to just apply the patches from the errata but apparently not all security related fixes in -stable are listed there and OpenBSD admits as much that patch branch is really not user-friendly. Further problems: OpenBSD seems to default to using very "conservative" hash algorithms, md5 or sha1 which are both broken. This clashes with their claimed crypto focus. FDE support is lacking/limited. There doesn't seem to be a modern mandatory access control (MAC[2]), instead there's systrace which has been criticized for having fundamental security problems (this may or may not have changed since then). OpenBSD doesn't seem to be using PIE executables by default, meaning, it doesn't really have ASLR. Documentation about such issues is completely lacking. There's also the strange policy of sticking with bind and sendmail when there were secure-by-design alternatives (see PDF!) with much better track record, BIND-9, despite the rewrite, continues to be a security hazard just judging by the OpenBSD errata entries. OpenBSD would otherwise be a great choice for Whonix-Gateway. It has a very capable firewall, the track record is probably better than of any other OS though they (just like their competition for fairness sakes) prefer to label "potential" code execution vulnerabilities as a DoS. OpenBSD is also a very small OS (small TCB), its kernel may be the most secure UNIX-like kernel, but it's still a monolithic kernel. Their claim of being THE most secure operating system has become more and more dubious since the introduction of actually usable microkernels. In summary: I don't like their attitude and several essential (for Whonix) security properties are missing.

Also see security vulnerability - NTP not authenticated and it doesn't look like they step forward to fix it. The suggestion was to authenticate the connection to the NTP server, which is not possible for Whonix for many reasons. [3]

OpenBSD's target audience aren't end users, that's why they don't care to provide signed updates for the masses, see How to check downloaded package on OpenBSD 5.1?.

OpenBSD's website isn't reachable over SSL or as a Tor hidden service. How are users supposed to securely view the OpenBSD site and not learn things set up by a man-in-the-middle?

If they don't attract the masses, ordinary crackers, hackers and the security research community doesn't get attracted as they do with more popular operating systems. At the same time a targeted attack gets easier, because people who get paid to find exploits can find them more easily.

If this sounds a bit harsh on OpenBSD it's because it could be such a great OS but it isn't (mostly more for political and social/"ego" than technical reasons) which is frustrating.

Update 1: There is now Qubes OS and I am missing such innovative security improvements from OpenBSD, which claims to be the most secure operating system.

Update 2: OpenBSD according to bststats.org (w) has very few users. 56 at time of writing. I know, that people must undergo a rather complicated manual process to get counted, however compared to 24,168 FreeBSD users, that's not very much.
[edit]

=======

Why don't you use FreeBSD, which is more secure?!?

Does FreeBSD have a secure package manager?

Does it defend this (w)?

Does it cover the TUF threat model (w)?

Can every user download from an already existing signed repository or is it required to run an own repository?

There's an awful lot there, so I'd like to ask only about the signing issue, since it's something I was curious about once reading a Usenix article insisting signed packages are a necessity (the authors were Arch Linux users IIRC). If we don't trust the channels even for getting a cd in the mail how would we trust that we have the right public key when we authenticate a signature (says the guy whose firefox tells him his corporate self-signed webmail certificate is untrusted and different from previous ones every couple of days and hasn't said anything, i.e. a very trusting user)?

If I get md5 sums from one source and source code from a separate source, that seems okay to me (or at least probably more robust than the actual looking over of the third party source code in the first place). Okay, so md5 can theoretically have collisions but how easy is it, actually, to do a collision and have a binary still run and do some mischief?

For the source code of OpenBSD proper, yeah, I'm getting mine in the U.S. mail, so maybe I'm actually getting NSA/OpenBSD in reality. I guess I could ask my relatives who are still in Canada to buy it for me and pick it up from them, but, frankly, as long as Stephen Harper remains Emperor for life, I'm not sure how much that helps. Guess I should just drive to Calgary and take the code from Theo DeRaadt at gunpoint.